formbook | 36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c

General

Target

offjetsew3321.exe
Size

228KB
MD5

98f963b9d7225413ec18f48a473c1f40
SHA1

1272577d90b8d212416732e54258b136cbd2f3d3
SHA256

36f515bac3960c07aea759f03208f901b84050cd57c84a2fce20e92b83158b3c
SHA512

778b186ef6c85651bb722701ee77785aed3bd51048a3ecd12423779c8b1ac640eea61a85712ceb03be48916b8c20c587adc4ee9f625f3a4b96a442f9b550b579
SSDEEP

6144:QBn1yQEl9B3my7WMRNICK7WtIGpUv82m+mLZxhhO4+/:gnEl9Iy7zRNI7BGpU4L1J+/

Score

10^/10

formbook je14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je14

Decoy

innervisionbuildings.com

theenergysocialite.com

565548.com

panghr.com

onlyonesolutions.com

stjohnzone6.com

cnotes.rest

helfeb.online

xixi-s-inc.club

easilyentered.com

theshopx.store

mrclean-ac.com

miamibeachwateradventures.com

jpearce.co.uk

seseragi-bunkou.com

minimaddie.com

commbank-help-849c3.com

segohandelsonderneming.com

namthanhreal.com

fototerapi.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3560-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3560-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4460-148-0x0000000000A30000-0x0000000000A5F000-memory.dmp	formbook
behavioral2/memory/4460-151-0x0000000000A30000-0x0000000000A5F000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

nfvyobds.exenfvyobds.exe

pid process

636 nfvyobds.exe
3560 nfvyobds.exe

pid	process
636	nfvyobds.exe
3560	nfvyobds.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

nfvyobds.exenfvyobds.exenetsh.exe

description	pid	process	target process
PID 636 set thread context of 3560	636	nfvyobds.exe	nfvyobds.exe
PID 3560 set thread context of 2932	3560	nfvyobds.exe	Explorer.EXE
PID 4460 set thread context of 2932	4460	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

nfvyobds.exenetsh.exe

pid	process
3560	nfvyobds.exe
3560	nfvyobds.exe
3560	nfvyobds.exe
3560	nfvyobds.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe
4460	netsh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2932 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

nfvyobds.exenfvyobds.exenetsh.exe

pid process

636 nfvyobds.exe
3560 nfvyobds.exe
3560 nfvyobds.exe
3560 nfvyobds.exe
4460 netsh.exe
4460 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

nfvyobds.exenetsh.exe

description pid process

Token: SeDebugPrivilege 3560 nfvyobds.exe
Token: SeDebugPrivilege 4460 netsh.exe

pid	process
2932	Explorer.EXE

pid	process
636	nfvyobds.exe
3560	nfvyobds.exe
3560	nfvyobds.exe
3560	nfvyobds.exe
4460	netsh.exe
4460	netsh.exe

description	pid	process
Token: SeDebugPrivilege	3560	nfvyobds.exe
Token: SeDebugPrivilege	4460	netsh.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

offjetsew3321.exenfvyobds.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 920 wrote to memory of 636	920	offjetsew3321.exe	nfvyobds.exe
PID 920 wrote to memory of 636	920	offjetsew3321.exe	nfvyobds.exe
PID 920 wrote to memory of 636	920	offjetsew3321.exe	nfvyobds.exe
PID 636 wrote to memory of 3560	636	nfvyobds.exe	nfvyobds.exe
PID 636 wrote to memory of 3560	636	nfvyobds.exe	nfvyobds.exe
PID 636 wrote to memory of 3560	636	nfvyobds.exe	nfvyobds.exe
PID 636 wrote to memory of 3560	636	nfvyobds.exe	nfvyobds.exe
PID 2932 wrote to memory of 4460	2932	Explorer.EXE	netsh.exe
PID 2932 wrote to memory of 4460	2932	Explorer.EXE	netsh.exe
PID 2932 wrote to memory of 4460	2932	Explorer.EXE	netsh.exe
PID 4460 wrote to memory of 4052	4460	netsh.exe	cmd.exe
PID 4460 wrote to memory of 4052	4460	netsh.exe	cmd.exe
PID 4460 wrote to memory of 4052	4460	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2932

C:\Users\Admin\AppData\Local\Temp\offjetsew3321.exe
"C:\Users\Admin\AppData\Local\Temp\offjetsew3321.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe
"C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe" C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe
"C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe" C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe"
3⤵
PID:4052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jhknljkson.ade
Filesize
5KB

MD5
a01427ca1c1582996464569f7698d06c

SHA1
77afe61bc26385d7f334091cedc82c07045bbefd

SHA256
0d4b7dad87d14f15d860d0699dcd9613a074ba389653ba6c11fde1c886c7b1f0

SHA512
f36d126d8d43ad8292740e3c344fe6c86d5d7491bb29f14c45fd3193d7bfb3985d64b0e40acd5f18c6402361ee982b124907a777a420637ed1b935aa5a0a82fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvpxu.xyq
Filesize
185KB

MD5
c059805868cd8cb1a7e2249d8a5d169c

SHA1
a6fa675a027113edff5bec4c21ade795da0e2028

SHA256
bce097be8bba40084ad6a4bd1b5bc40d43dd4f44abdce4bec246947b089ac938

SHA512
449ff100f77af907ba2bb93c7520344f8dcabb887c9aedf053d8e31bd05e7f2f2bec7eb6ea82887f6d79d8fa46e0f62e36d4968a6f3bbe759228e6cbae247fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe
Filesize
59KB

MD5
d660fe612ef6aa2af1d2ce26d213d38e

SHA1
6055e297bfc1a2cdf34ea79d17b3150e16231273

SHA256
15c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2

SHA512
0de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe
Filesize
59KB

MD5
d660fe612ef6aa2af1d2ce26d213d38e

SHA1
6055e297bfc1a2cdf34ea79d17b3150e16231273

SHA256
15c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2

SHA512
0de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfvyobds.exe
Filesize
59KB

MD5
d660fe612ef6aa2af1d2ce26d213d38e

SHA1
6055e297bfc1a2cdf34ea79d17b3150e16231273

SHA256
15c2c4e1b0282f7b0a1a2050000f2ecd9c2d41ad2ccc4f38e16542af2b162ef2

SHA512
0de1d57640aa2185649f308908aca93992d1b4bb2766b746e595f4f3872510af697d9197d4556f75ea8f9a01af17570ca7ec56409d9292ed20e1a261ca0fe1b8

Download Submit
memory/636-132-0x0000000000000000-mapping.dmp

Download
memory/2932-142-0x0000000008190000-0x00000000082C0000-memory.dmp

Filesize
1.2MB

Download
memory/2932-152-0x0000000002DD0000-0x0000000002EA0000-memory.dmp

Filesize
832KB

Download
memory/2932-150-0x0000000002DD0000-0x0000000002EA0000-memory.dmp

Filesize
832KB

Download
memory/3560-137-0x0000000000000000-mapping.dmp

Download
memory/3560-141-0x0000000000E70000-0x0000000000E84000-memory.dmp

Filesize
80KB

Download
memory/3560-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3560-140-0x00000000009A0000-0x0000000000CEA000-memory.dmp

Filesize
3.3MB

Download
memory/3560-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-145-0x0000000000000000-mapping.dmp

Download
memory/4460-143-0x0000000000000000-mapping.dmp

Download
memory/4460-146-0x0000000000CC0000-0x0000000000CDE000-memory.dmp

Filesize
120KB

Download
memory/4460-147-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/4460-148-0x0000000000A30000-0x0000000000A5F000-memory.dmp

Filesize
188KB

Download
memory/4460-149-0x00000000011A0000-0x0000000001233000-memory.dmp

Filesize
588KB

Download
memory/4460-151-0x0000000000A30000-0x0000000000A5F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads